CrossRAT
- Type:
- Spyware
- Platform:
- Mac OS X
- Last updated:
- 02/01/18 10:47 pm
- Threat Level:
- High
Description
CrossRAT is cross-platform spyware that can be deployed on Windows, Linux, and macOS. First discovered in 2018, CrossRAT is attributed to the Dark Caracal APT group, which is thought to have links to a Lebanese government intelligence agency, and is part of a larger cyber-espionage campaign that has been carried out on a global scale since 2012.
The spyware is coded in the Java programming language, and when executed on macOS attempts to write itself to the system as a .jar Java package file. CrossRAT also creates a LaunchAgent on an infected Mac so that it can achieve persistence (the ability to survive reboots and launch again when the computer is restarted).
Once CrossRAT has burrowed into the system, it contacts a remote command and control server to receive instructions from the malicious actors, at which time it also transmits OS and user information about the compromised machine. On an infected Mac, the spyware is able to manipulate the filesystem and take screenshots; on Windows machines, CrossRAT can also execute arbitrary code from DLLs.
Infection seems to take place via targeted phishing attacks which rely on a variety of file types, including Word documents with maliciously crafted macros. Significantly for Mac users, the spyware can only infect a system on which Java has been installed — and this is not the default on macOS 10.7 (Lion) and later. However, if Java has been installed on a newer Mac, the system is potentially at risk.
CrossRAT Threat Removal
MacScan can detect and remove CrossRAT Spyware from your system, as well as provide protection against other security and privacy threats. A 30-day trial is available to scan your system for this threat.